Remote Code Execution by Subscriber+ users via WordPress shortcode
CVE-2022-24663

9.9CRITICAL

Key Information:

Vendor
Alexander Fuchs
Status
PHP Everywhere
Vendor
CVE Published:
16 February 2022

Summary

PHP Everywhere <= 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress shortcodes, which can be used by any authenticated user.

Affected Version(s)

PHP Everywhere WordPress 2.0.3

References

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ramuel Gall, Wordfence
.
🍪 This website uses cookies, like every other website on the internet 😕 By using our website, you consent to the use of cookies.